Export limit exceeded: 10620 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344055 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 45340 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45340 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-26447 | 1 Open-xchange | 1 Open-xchange Appsuite Frontend | 2024-11-21 | 5.4 Medium |
| The "upsell" widget for the portal allows to specify a product description. This description taken from a user-controllable jslob did not get escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content. No publicly available exploits are known. | ||||
| CVE-2023-26446 | 1 Open-xchange | 1 Open-xchange Appsuite Frontend | 2024-11-21 | 5.4 Medium |
| The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the user-controllable clientID parameter. No publicly available exploits are known. | ||||
| CVE-2023-26445 | 1 Open-xchange | 1 Open-xchange Appsuite Frontend | 2024-11-21 | 5.4 Medium |
| Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the theme value and use a default fallback if no theme matches. No publicly available exploits are known. | ||||
| CVE-2023-26316 | 1 Mi | 1 Xiaomi Cloud | 2024-11-21 | 6.1 Medium |
| A XSS vulnerability exists in the Xiaomi cloud service Application product. The vulnerability is caused by Webview's whitelist checking function allowing javascript protocol to be loaded and can be exploited by attackers to steal Xiaomi cloud service account's cookies. | ||||
| CVE-2023-26274 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-11-21 | 4.6 Medium |
| IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 248144. | ||||
| CVE-2023-26270 | 1 Ibm | 1 Guardium Cloud Key Manager | 2024-11-21 | 6.5 Medium |
| IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) could allow a remote attacker to execute arbitrary code on the system, caused by an angular template injection flaw. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 248119. | ||||
| CVE-2023-26222 | 1 Tibco | 1 Ebx | 2024-11-21 | 8.7 High |
| The Web Application component of TIBCO Software Inc.'s TIBCO EBX and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a stored XSS on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.9.22 and below, versions 6.0.13 and below and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 5.0.0 and below. | ||||
| CVE-2023-26220 | 1 Tibco | 2 Spotfire Analyst, Spotfire Server | 2024-11-21 | 5.4 Medium |
| The Spotfire Library component of TIBCO Software Inc.'s Spotfire Analyst and Spotfire Server contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s Spotfire Analyst: versions 11.4.7 and below, versions 11.5.0, 11.6.0, 11.7.0, 11.8.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4, versions 12.1.0 and 12.1.1 and Spotfire Server: versions 11.4.11 and below, versions 11.5.0, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.7.0, 11.8.0, 11.8.1, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, and 12.0.5, versions 12.1.0 and 12.1.1. | ||||
| CVE-2023-26219 | 1 Tibco | 4 Hawk, Hawk Distribution For Tibco Silver Fabric, Operational Intelligence Hawk Redtail and 1 more | 2024-11-21 | 7.4 High |
| The Hawk Console and Hawk Agent components of TIBCO Software Inc.'s TIBCO Hawk, TIBCO Hawk Distribution for TIBCO Silver Fabric, TIBCO Operational Intelligence Hawk RedTail, and TIBCO Runtime Agent contain a vulnerability that theoretically allows an attacker with access to the Hawk Console’s and Agent’s log to obtain credentials used to access associated EMS servers. Affected releases are TIBCO Software Inc.'s TIBCO Hawk: versions 6.2.2 and below, TIBCO Hawk Distribution for TIBCO Silver Fabric: versions 6.2.2 and below, TIBCO Operational Intelligence Hawk RedTail: versions 7.2.1 and below, and TIBCO Runtime Agent: versions 5.12.2 and below. | ||||
| CVE-2023-26218 | 1 Tibco | 1 Nimbus | 2024-11-21 | 8 High |
| The Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Nimbus: versions 10.6.0 and below. | ||||
| CVE-2023-26206 | 1 Fortinet | 1 Fortinac | 2024-11-21 | 6.8 Medium |
| An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiNAC 9.4.0 - 9.4.2, 9.2.0 - 9.2.8, 9.1.0 - 9.1.10 and 7.2.0 allows an attacker to execute unauthorized code or commands via the name fields observed in the policy audit logs. | ||||
| CVE-2023-26203 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2024-11-21 | 6.1 Medium |
| A use of hard-coded credentials vulnerability [CWE-798] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions may allow an authenticated attacker to access to the database via shell commands. | ||||
| CVE-2023-26149 | 1 Quill-mention | 1 Quill Mention | 2024-11-21 | 6.1 Medium |
| Versions of the package quill-mention before 4.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization, via the renderList function. **Note:** If the mentions list is sourced from unsafe (user-sourced) data, this might allow an injection attack when a Quill user hits @. | ||||
| CVE-2023-26147 | 1 Ithewei | 1 Libhv | 2024-11-21 | 5.3 Medium |
| All versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability. | ||||
| CVE-2023-26146 | 2 Ithewei, Ithewei\/libhv | 2 Libhv, Ithewei\/libhv | 2024-11-21 | 6.1 Medium |
| All versions of the package ithewei/libhv are vulnerable to Cross-site Scripting (XSS) such that when a file with a name containing a malicious payload is served by the application, the filename is displayed without proper sanitization when it is rendered. | ||||
| CVE-2023-26140 | 1 Excalidraw | 1 Excalidraw | 2024-11-21 | 6.1 Medium |
| Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization. | ||||
| CVE-2023-26013 | 1 Wpchill | 1 Strong Testimonials | 2024-11-21 | 6.5 Medium |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WPChill Strong Testimonials plugin <= 3.0.2 versions. | ||||
| CVE-2023-25984 | 1 Rigorous-digital | 1 Dovetail | 2024-11-21 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Rigorous & Factory Pattern Dovetail plugin <= 1.2.13 versions. | ||||
| CVE-2023-25981 | 1 Themekraft | 1 Post Form | 2024-11-21 | 6.5 Medium |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ThemeKraft Post Form plugin <= 2.8.1 versions. | ||||
| CVE-2023-25978 | 1 Mindutopia | 1 Protected Posts Logout Button | 2024-11-21 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Nate Reist Protected Posts Logout Button plugin <= 1.4.5 versions. | ||||